Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
The Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Configure When Users Are Prompted to Verify Identity
Require High Assurance Session Security for Sensitive Operations
Create a Login Flow
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Set Up Two-Factor Authentication
Set Two-Factor Authentication Login Requirements
Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities
Set Two-Factor Authentication Login Requirements for API Access
Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
Verify Your Identity with a One-Time Password Generator App or Device
Disconnect Salesforce Authenticator (Versions 2 and 3) from a User’s Account
Disconnect a User’s One-Time Password Generator App
Generate a Temporary Identity Verification Code
Expire a Temporary Verification Code
Delegate Two-Factor Authentication Management Tasks
Deploy Third-Party SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities

Use profile policies and session settings to set two-factor authentication login requirements for users. All Salesforce user interface authentication methods, including username and password, delegated authentication, SAML single sign-on, and social sign-on through a third-party authentication provider, are supported. You can apply the two-factor authentication requirement to users in Salesforce orgs and Communities.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To edit profiles and permission sets: Manage Profiles and Permission Sets
To generate a temporary verification code Manage Two-Factor Authentication in User Interface

To require two-factor authentication for users assigned to a particular profile, edit the Session security level required at login profile setting. Then set session security levels in your org’s session settings to apply the policy for particular login methods.

By default, the session security requirement at login for all profiles is None. You can edit a profile’s Session Settings to change the requirement to High Assurance. When profile users with this requirement use a login method that grants standard-level security instead of high assurance, such as username and password, they’re prompted to verify their identity with two-factor authentication. After users authenticate successfully, they’re logged in to Salesforce.

You can edit the security level assigned to a login method in your org’s Session Settings.

Users with mobile devices can use the Salesforce Authenticator mobile app or another authenticator app for two-factor authentication. Internal users can connect the app to their account in the Advanced User Details page of their personal settings. If you set the High Assurance requirement on a profile, any profile user who doesn’t already have Salesforce Authenticator or another authenticator app connected to their account is prompted to connect the app before they can log in. After they connect the app, they’re prompted to use the app to verify their identity.

Users with registered U2F security keys can use them for two-factor authentication.

Community members with the High Assurance profile requirement are prompted to connect an authenticator app during login.

  1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
  2. Select a profile.
  3. Scroll to Session Settings and find the Session security level required at login setting.
  4. Click Edit.
  5. For Session security level required at login, select High Assurance.
  6. Click Save.
  7. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  8. In Session Security Levels, make sure that Two-Factor Authentication is in the High Assurance column.
    If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level security.

  9. Consider moving Activation to the High Assurance column. With this setting, users who verify their identity from an unrecognized browser or app establish a high-assurance session. When Activation is in the High Assurance column, profile users who verify their identity at login aren’t challenged to verify their identity again to satisfy the high-assurance session security requirement.

    Note

    Save your changes.

Example

You’ve configured Facebook and LinkedIn as authentication providers in your community. Many of your community members use social sign-on to log in using the username and password from their Facebook or LinkedIn accounts. You want to increase security by requiring Customer Community users to use two-factor authentication when they log in with their Facebook account, but not with their LinkedIn account. You edit the Customer Community User profile and set the Session security level required at login to High Assurance. In your org’s Session Settings, you edit the Session Security Levels. You place Facebook in the Standard column. In the High Assurance column, you place Two-Factor Authentication. You also place LinkedIn in the High Assurance column.

You can also use login flows to change the user’s session security level to initiate identity verification under specific conditions. Login flows let you build a custom post-authentication process that meets your business requirements.

Note

If users lose or forget the device they usually use for two-factor authentication, you can generate a temporary verification code for them. You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code, then generate a new one. Users can expire their own valid codes in their personal settings.

The High Assurance profile requirement applies to user interface logins. OAuth token exchanges aren’t subject to the requirement. OAuth refresh tokens that were obtained before a High Assurance requirement is set for a profile can still be exchanged for access tokens that are valid for the API. Tokens are valid even if they were obtained with a standard-assurance session. To require users to establish a high-assurance session before accessing the API with an external application, first revoke existing OAuth tokens for users with that profile. Then set a High Assurance requirement for the profile. Users have to log in with two-factor authentication and reauthorize the application.

Note